Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

behind proxy: ssl_client: archive.apache.org: certificate verification failed: unable to get local issuer certificate #483

Open
cigano opened this issue Apr 10, 2019 · 5 comments
Open

behind proxy: ssl_client: archive.apache.org: certificate verification failed: unable to get local issuer certificate #483

cigano opened this issue Apr 10, 2019 · 5 comments

Comments

@cigano
Copy link

cigano commented Apr 10, 2019

Executing:

> docker-compose up -d

I got:

ssl_client: archive.apache.org: certificate verification failed: unable to get local issuer certificate

Got to solve replacing line 18 at download-kafka.sh:

wget "${url}" -O "/tmp/${FILENAME}"

By:

wget "${url}" -O "/tmp/${FILENAME}" || wget "${url/https/http}" --no-check-certificate -O "/tmp/${FILENAME}"

And line 35 at Dockerfile:

 && wget https://github.com/sgerrand/alpine-pkg-glibc/releases/download/${GLIBC_VERSION}/glibc-${GLIBC_VERSION}.apk \

By:

 && wget --no-check-certificate https://github.com/sgerrand/alpine-pkg-glibc/releases/download/${GLIBC_VERSION}/glibc-${GLIBC_VERSION}.apk \

But I'm not sure if this is the best way to solve it. If it is, I can submit a PR.
@sscaling
Copy link
Collaborator

I'm not seeing any issues on travis or locally. Perhaps you have an outdate base image (i.e. expired root trust store) ?

Try doing a docker-compose build --pull which should force pull the base image if it's out of date. Also make sure you have the current version of the Git repository as the older base images may have out-of-date root trust store.

Alternatively, you should just be able to use a pre-built kafka image hosted on dockerhub -https://hub.docker.com/r/wurstmeister/kafka/

@cigano
Copy link
Author

cigano commented Apr 18, 2019

@sscaling I think it is good to give a little bit of context here.

The image is the latest one. The problem is that all the company network connections are made through a certificate that apparently is not widely trusted, so some software point correctly that there's a SSL error.

Fixing this certificate is out of my reach, so what we need to do is usually tweaks. This is my suggestion for this Docker image, specifically. If nobody thinks it is necessary to improve, feel free to close this issue.

@sscaling
Copy link
Collaborator

The image is the latest one. The problem is that all the company network connections are made through a certificate that apparently is not widely trusted, so some software point correctly that there's a SSL error.

Do you mean via a proxy with a not widely trusted cert?

@cigano
Copy link
Author

cigano commented Apr 22, 2019

Do you mean via a proxy with a not widely trusted cert?

@sscaling Yes, exactly.

@sscaling
Copy link
Collaborator

It sounds like the image would first need to fully support proxies (currently it does not). Then you could either build your own image based on this image as the base and just add the relevant certs to the CA root store. So until then, probably maintaining your own fork is probably the easiest.

@sscaling sscaling changed the title ssl_client: archive.apache.org: certificate verification failed: unable to get local issuer certificate behind proxy: ssl_client: archive.apache.org: certificate verification failed: unable to get local issuer certificate Apr 23, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cigano @sscaling